Add composite authentication support
Add support for composite authentication using a new 'service token' in addition to the existing 'user token'. If no service token is present there is no change in current behaviour. If a service token is present and successfully validated then additional wsgi environment variables are set which services may use to allow or deny actions in conjunction with the existing environment variables. For now delayed authentication is not supported for service tokens; if a service token is present but invalid then HTTP Unauthorized (401) will be returned. Change-Id: Idb97c075a59d716af8bc56875785b825625bf0c9 Implements: bp service-tokens
This commit is contained in:
parent
1f8b4fe443
commit
3aa18b2450
@ -41,6 +41,9 @@ Coming in from initial call from client or customer
|
|||||||
HTTP_X_AUTH_TOKEN
|
HTTP_X_AUTH_TOKEN
|
||||||
The client token being passed in.
|
The client token being passed in.
|
||||||
|
|
||||||
|
HTTP_X_SERVICE_TOKEN
|
||||||
|
A service token being passed in.
|
||||||
|
|
||||||
HTTP_X_STORAGE_TOKEN
|
HTTP_X_STORAGE_TOKEN
|
||||||
The client token being passed in (legacy Rackspace use) to support
|
The client token being passed in (legacy Rackspace use) to support
|
||||||
swift/cloud files
|
swift/cloud files
|
||||||
@ -55,55 +58,61 @@ WWW-Authenticate
|
|||||||
What we add to the request for use by the OpenStack service
|
What we add to the request for use by the OpenStack service
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
When using composite authentication (a user and service token are
|
||||||
|
present) additional service headers relating to the service user
|
||||||
|
will be added. They take the same form as the standard headers but add
|
||||||
|
'_SERVICE_'. These headers will not exist in the environment if no
|
||||||
|
service token is present.
|
||||||
|
|
||||||
HTTP_X_IDENTITY_STATUS
|
HTTP_X_IDENTITY_STATUS
|
||||||
'Confirmed' or 'Invalid'
|
'Confirmed' or 'Invalid'
|
||||||
The underlying service will only see a value of 'Invalid' if the Middleware
|
The underlying service will only see a value of 'Invalid' if the Middleware
|
||||||
is configured to run in 'delay_auth_decision' mode
|
is configured to run in 'delay_auth_decision' mode
|
||||||
|
|
||||||
HTTP_X_DOMAIN_ID
|
HTTP_X_DOMAIN_ID, HTTP_X_SERVICE_DOMAIN_ID
|
||||||
Identity service managed unique identifier, string. Only present if
|
Identity service managed unique identifier, string. Only present if
|
||||||
this is a domain-scoped v3 token.
|
this is a domain-scoped v3 token.
|
||||||
|
|
||||||
HTTP_X_DOMAIN_NAME
|
HTTP_X_DOMAIN_NAME, HTTP_X_SERVICE_DOMAIN_NAME
|
||||||
Unique domain name, string. Only present if this is a domain-scoped
|
Unique domain name, string. Only present if this is a domain-scoped
|
||||||
v3 token.
|
v3 token.
|
||||||
|
|
||||||
HTTP_X_PROJECT_ID
|
HTTP_X_PROJECT_ID, HTTP_X_SERVICE_PROJECT_ID
|
||||||
Identity service managed unique identifier, string. Only present if
|
Identity service managed unique identifier, string. Only present if
|
||||||
this is a project-scoped v3 token, or a tenant-scoped v2 token.
|
this is a project-scoped v3 token, or a tenant-scoped v2 token.
|
||||||
|
|
||||||
HTTP_X_PROJECT_NAME
|
HTTP_X_PROJECT_NAME, HTTP_X_SERVICE_PROJECT_NAME
|
||||||
Project name, unique within owning domain, string. Only present if
|
Project name, unique within owning domain, string. Only present if
|
||||||
this is a project-scoped v3 token, or a tenant-scoped v2 token.
|
this is a project-scoped v3 token, or a tenant-scoped v2 token.
|
||||||
|
|
||||||
HTTP_X_PROJECT_DOMAIN_ID
|
HTTP_X_PROJECT_DOMAIN_ID, HTTP_X_SERVICE_PROJECT_DOMAIN_ID
|
||||||
Identity service managed unique identifier of owning domain of
|
Identity service managed unique identifier of owning domain of
|
||||||
project, string. Only present if this is a project-scoped v3 token. If
|
project, string. Only present if this is a project-scoped v3 token. If
|
||||||
this variable is set, this indicates that the PROJECT_NAME can only
|
this variable is set, this indicates that the PROJECT_NAME can only
|
||||||
be assumed to be unique within this domain.
|
be assumed to be unique within this domain.
|
||||||
|
|
||||||
HTTP_X_PROJECT_DOMAIN_NAME
|
HTTP_X_PROJECT_DOMAIN_NAME, HTTP_X_SERVICE_PROJECT_DOMAIN_NAME
|
||||||
Name of owning domain of project, string. Only present if this is a
|
Name of owning domain of project, string. Only present if this is a
|
||||||
project-scoped v3 token. If this variable is set, this indicates that
|
project-scoped v3 token. If this variable is set, this indicates that
|
||||||
the PROJECT_NAME can only be assumed to be unique within this domain.
|
the PROJECT_NAME can only be assumed to be unique within this domain.
|
||||||
|
|
||||||
HTTP_X_USER_ID
|
HTTP_X_USER_ID, HTTP_X_SERVICE_USER_ID
|
||||||
Identity-service managed unique identifier, string
|
Identity-service managed unique identifier, string
|
||||||
|
|
||||||
HTTP_X_USER_NAME
|
HTTP_X_USER_NAME, HTTP_X_SERVICE_USER_NAME
|
||||||
User identifier, unique within owning domain, string
|
User identifier, unique within owning domain, string
|
||||||
|
|
||||||
HTTP_X_USER_DOMAIN_ID
|
HTTP_X_USER_DOMAIN_ID, HTTP_X_SERVICE_USER_DOMAIN_ID
|
||||||
Identity service managed unique identifier of owning domain of
|
Identity service managed unique identifier of owning domain of
|
||||||
user, string. If this variable is set, this indicates that the USER_NAME
|
user, string. If this variable is set, this indicates that the USER_NAME
|
||||||
can only be assumed to be unique within this domain.
|
can only be assumed to be unique within this domain.
|
||||||
|
|
||||||
HTTP_X_USER_DOMAIN_NAME
|
HTTP_X_USER_DOMAIN_NAME, HTTP_X_SERVICE_USER_DOMAIN_NAME
|
||||||
Name of owning domain of user, string. If this variable is set, this
|
Name of owning domain of user, string. If this variable is set, this
|
||||||
indicates that the USER_NAME can only be assumed to be unique within
|
indicates that the USER_NAME can only be assumed to be unique within
|
||||||
this domain.
|
this domain.
|
||||||
|
|
||||||
HTTP_X_ROLES
|
HTTP_X_ROLES, HTTP_X_SERVICE_ROLES
|
||||||
Comma delimited list of case-sensitive role names
|
Comma delimited list of case-sensitive role names
|
||||||
|
|
||||||
HTTP_X_SERVICE_CATALOG
|
HTTP_X_SERVICE_CATALOG
|
||||||
@ -111,6 +120,11 @@ HTTP_X_SERVICE_CATALOG
|
|||||||
For compatibility reasons this catalog will always be in the V2 catalog
|
For compatibility reasons this catalog will always be in the V2 catalog
|
||||||
format even if it is a v3 token.
|
format even if it is a v3 token.
|
||||||
|
|
||||||
|
Note: This is an exception in that it contains 'SERVICE' but relates to a
|
||||||
|
user token, not a service token. The existing user's
|
||||||
|
catalog can be very large; it was decided not to present a catalog
|
||||||
|
relating to the service token to avoid using more HTTP header space.
|
||||||
|
|
||||||
HTTP_X_TENANT_ID
|
HTTP_X_TENANT_ID
|
||||||
*Deprecated* in favor of HTTP_X_PROJECT_ID
|
*Deprecated* in favor of HTTP_X_PROJECT_ID
|
||||||
Identity service managed unique identifier, string. For v3 tokens, this
|
Identity service managed unique identifier, string. For v3 tokens, this
|
||||||
@ -345,6 +359,26 @@ CONF.register_opts(_OPTS, group='keystone_authtoken')
|
|||||||
|
|
||||||
_LIST_OF_VERSIONS_TO_ATTEMPT = ['v3.0', 'v2.0']
|
_LIST_OF_VERSIONS_TO_ATTEMPT = ['v3.0', 'v2.0']
|
||||||
|
|
||||||
|
_HEADER_TEMPLATE = {
|
||||||
|
'X%s-Domain-Id': 'domain_id',
|
||||||
|
'X%s-Domain-Name': 'domain_name',
|
||||||
|
'X%s-Project-Id': 'project_id',
|
||||||
|
'X%s-Project-Name': 'project_name',
|
||||||
|
'X%s-Project-Domain-Id': 'project_domain_id',
|
||||||
|
'X%s-Project-Domain-Name': 'project_domain_name',
|
||||||
|
'X%s-User-Id': 'user_id',
|
||||||
|
'X%s-User-Name': 'username',
|
||||||
|
'X%s-User-Domain-Id': 'user_domain_id',
|
||||||
|
'X%s-User-Domain-Name': 'user_domain_name',
|
||||||
|
}
|
||||||
|
|
||||||
|
_DEPRECATED_HEADER_TEMPLATE = {
|
||||||
|
'X-User': 'username',
|
||||||
|
'X-Tenant-Id': 'project_id',
|
||||||
|
'X-Tenant-Name': 'project_name',
|
||||||
|
'X-Tenant': 'project_name',
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
class _BIND_MODE:
|
class _BIND_MODE:
|
||||||
DISABLED = 'disabled'
|
DISABLED = 'disabled'
|
||||||
@ -374,13 +408,13 @@ def _token_is_v3(token_info):
|
|||||||
|
|
||||||
def _get_token_expiration(data):
|
def _get_token_expiration(data):
|
||||||
if not data:
|
if not data:
|
||||||
raise InvalidUserToken('Token authorization failed')
|
raise InvalidToken('Token authorization failed')
|
||||||
if _token_is_v2(data):
|
if _token_is_v2(data):
|
||||||
timestamp = data['access']['token']['expires']
|
timestamp = data['access']['token']['expires']
|
||||||
elif _token_is_v3(data):
|
elif _token_is_v3(data):
|
||||||
timestamp = data['token']['expires_at']
|
timestamp = data['token']['expires_at']
|
||||||
else:
|
else:
|
||||||
raise InvalidUserToken('Token authorization failed')
|
raise InvalidToken('Token authorization failed')
|
||||||
expires = timeutils.parse_isotime(timestamp)
|
expires = timeutils.parse_isotime(timestamp)
|
||||||
expires = timeutils.normalize_time(expires)
|
expires = timeutils.normalize_time(expires)
|
||||||
return expires
|
return expires
|
||||||
@ -390,7 +424,7 @@ def _confirm_token_not_expired(data):
|
|||||||
expires = _get_token_expiration(data)
|
expires = _get_token_expiration(data)
|
||||||
utcnow = timeutils.utcnow()
|
utcnow = timeutils.utcnow()
|
||||||
if utcnow >= expires:
|
if utcnow >= expires:
|
||||||
raise InvalidUserToken('Token authorization failed')
|
raise InvalidToken('Token authorization failed')
|
||||||
return timeutils.isotime(at=expires, subsecond=True)
|
return timeutils.isotime(at=expires, subsecond=True)
|
||||||
|
|
||||||
|
|
||||||
@ -456,7 +490,7 @@ def _conf_values_type_convert(conf):
|
|||||||
return opts
|
return opts
|
||||||
|
|
||||||
|
|
||||||
class InvalidUserToken(Exception):
|
class InvalidToken(Exception):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
||||||
@ -603,6 +637,7 @@ class AuthProtocol(object):
|
|||||||
|
|
||||||
self._check_revocations_for_cached = self._conf_get(
|
self._check_revocations_for_cached = self._conf_get(
|
||||||
'check_revocations_for_cached')
|
'check_revocations_for_cached')
|
||||||
|
self._init_auth_headers()
|
||||||
|
|
||||||
def _conf_get(self, name):
|
def _conf_get(self, name):
|
||||||
# try config from paste-deploy first
|
# try config from paste-deploy first
|
||||||
@ -630,74 +665,102 @@ class AuthProtocol(object):
|
|||||||
we can't authenticate.
|
we can't authenticate.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
self._LOG.debug('Authenticating user token')
|
def _fmt_msg(env):
|
||||||
|
msg = ('user: user_id %s, project_id %s, roles %s '
|
||||||
|
'service: user_id %s, project_id %s, roles %s' % (
|
||||||
|
env.get('X_USER_ID'), env.get('X_PROJECT_ID'),
|
||||||
|
env.get('X_ROLES'), env.get('X_SERVICE_USER_ID'),
|
||||||
|
env.get('X_SERVICE_PROJECT_ID'),
|
||||||
|
env.get('X_SERVICE_ROLES')))
|
||||||
|
return msg
|
||||||
|
|
||||||
self._token_cache.initialize(env)
|
self._token_cache.initialize(env)
|
||||||
|
self._remove_auth_headers(env)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self._remove_auth_headers(env)
|
|
||||||
|
try:
|
||||||
|
self._LOG.debug('Authenticating user token')
|
||||||
user_token = self._get_user_token_from_header(env)
|
user_token = self._get_user_token_from_header(env)
|
||||||
token_info = self._validate_user_token(user_token, env)
|
token_info = self._validate_token(user_token, env)
|
||||||
auth_ref = access.AccessInfo.factory(body=token_info)
|
auth_ref = access.AccessInfo.factory(body=token_info)
|
||||||
env['keystone.token_info'] = token_info
|
env['keystone.token_info'] = token_info
|
||||||
env['keystone.token_auth'] = _UserAuthPlugin(user_token, auth_ref)
|
env['keystone.token_auth'] = _UserAuthPlugin(
|
||||||
|
user_token, auth_ref)
|
||||||
user_headers = self._build_user_headers(auth_ref, token_info)
|
user_headers = self._build_user_headers(auth_ref, token_info)
|
||||||
self._add_headers(env, user_headers)
|
self._add_headers(env, user_headers)
|
||||||
return self._call_app(env, start_response)
|
except InvalidToken:
|
||||||
|
|
||||||
except InvalidUserToken:
|
|
||||||
if self._delay_auth_decision:
|
if self._delay_auth_decision:
|
||||||
self._LOG.info(
|
self._LOG.info(
|
||||||
'Invalid user token - deferring reject downstream')
|
'Invalid user token - deferring reject downstream')
|
||||||
self._add_headers(env, {'X-Identity-Status': 'Invalid'})
|
self._add_headers(env, {'X-Identity-Status': 'Invalid'})
|
||||||
return self._call_app(env, start_response)
|
|
||||||
else:
|
else:
|
||||||
self._LOG.info('Invalid user token - rejecting request')
|
self._LOG.info('Invalid user token - rejecting request')
|
||||||
return self._reject_request(env, start_response)
|
return self._reject_request(env, start_response)
|
||||||
|
|
||||||
|
try:
|
||||||
|
self._LOG.debug('Authenticating service token')
|
||||||
|
serv_token = self._get_service_token_from_header(env)
|
||||||
|
if serv_token is not None:
|
||||||
|
serv_token_info = self._validate_token(
|
||||||
|
serv_token, env)
|
||||||
|
serv_headers = self._build_service_headers(serv_token_info)
|
||||||
|
self._add_headers(env, serv_headers)
|
||||||
|
except InvalidToken:
|
||||||
|
# Delayed auth not currently supported for service tokens.
|
||||||
|
# (Can be implemented if a use case is found.)
|
||||||
|
self._LOG.info('Invalid service token - rejecting request')
|
||||||
|
return self._reject_request(env, start_response)
|
||||||
|
|
||||||
except ServiceError as e:
|
except ServiceError as e:
|
||||||
self._LOG.critical('Unable to obtain admin token: %s', e)
|
self._LOG.critical('Unable to obtain admin token: %s', e)
|
||||||
resp = _MiniResp('Service unavailable', env)
|
resp = _MiniResp('Service unavailable', env)
|
||||||
start_response('503 Service Unavailable', resp.headers)
|
start_response('503 Service Unavailable', resp.headers)
|
||||||
return resp.body
|
return resp.body
|
||||||
|
|
||||||
|
self._LOG.debug("Received request from %s" % _fmt_msg(env))
|
||||||
|
|
||||||
|
return self._call_app(env, start_response)
|
||||||
|
|
||||||
|
def _init_auth_headers(self):
|
||||||
|
"""Initialize auth header list.
|
||||||
|
|
||||||
|
Both user and service token headers are generated.
|
||||||
|
"""
|
||||||
|
auth_headers = ['X-Service-Catalog',
|
||||||
|
'X-Identity-Status',
|
||||||
|
'X-Roles',
|
||||||
|
'X-Service-Roles']
|
||||||
|
for key in six.iterkeys(_HEADER_TEMPLATE):
|
||||||
|
auth_headers.append(key % '')
|
||||||
|
# Service headers
|
||||||
|
auth_headers.append(key % '-Service')
|
||||||
|
|
||||||
|
# Deprecated headers
|
||||||
|
auth_headers.append('X-Role')
|
||||||
|
for key in six.iterkeys(_DEPRECATED_HEADER_TEMPLATE):
|
||||||
|
auth_headers.append(key)
|
||||||
|
|
||||||
|
self._auth_headers = auth_headers
|
||||||
|
|
||||||
def _remove_auth_headers(self, env):
|
def _remove_auth_headers(self, env):
|
||||||
"""Remove headers so a user can't fake authentication.
|
"""Remove headers so a user can't fake authentication.
|
||||||
|
|
||||||
|
Both user and service token headers are removed.
|
||||||
|
|
||||||
:param env: wsgi request environment
|
:param env: wsgi request environment
|
||||||
|
|
||||||
"""
|
"""
|
||||||
auth_headers = (
|
|
||||||
'X-Identity-Status',
|
|
||||||
'X-Domain-Id',
|
|
||||||
'X-Domain-Name',
|
|
||||||
'X-Project-Id',
|
|
||||||
'X-Project-Name',
|
|
||||||
'X-Project-Domain-Id',
|
|
||||||
'X-Project-Domain-Name',
|
|
||||||
'X-User-Id',
|
|
||||||
'X-User-Name',
|
|
||||||
'X-User-Domain-Id',
|
|
||||||
'X-User-Domain-Name',
|
|
||||||
'X-Roles',
|
|
||||||
'X-Service-Catalog',
|
|
||||||
# Deprecated
|
|
||||||
'X-User',
|
|
||||||
'X-Tenant-Id',
|
|
||||||
'X-Tenant-Name',
|
|
||||||
'X-Tenant',
|
|
||||||
'X-Role',
|
|
||||||
)
|
|
||||||
self._LOG.debug('Removing headers from request environment: %s',
|
self._LOG.debug('Removing headers from request environment: %s',
|
||||||
','.join(auth_headers))
|
','.join(self._auth_headers))
|
||||||
self._remove_headers(env, auth_headers)
|
self._remove_headers(env, self._auth_headers)
|
||||||
|
|
||||||
def _get_user_token_from_header(self, env):
|
def _get_user_token_from_header(self, env):
|
||||||
"""Get token id from request.
|
"""Get token id from request.
|
||||||
|
|
||||||
:param env: wsgi request environment
|
:param env: wsgi request environment
|
||||||
:return token id
|
:return token id
|
||||||
:raises InvalidUserToken if no token is provided in request
|
:raises InvalidToken if no token is provided in request
|
||||||
|
|
||||||
"""
|
"""
|
||||||
token = self._get_header(env, 'X-Auth-Token',
|
token = self._get_header(env, 'X-Auth-Token',
|
||||||
@ -709,7 +772,16 @@ class AuthProtocol(object):
|
|||||||
self._LOG.warn('Unable to find authentication token'
|
self._LOG.warn('Unable to find authentication token'
|
||||||
' in headers')
|
' in headers')
|
||||||
self._LOG.debug('Headers: %s', env)
|
self._LOG.debug('Headers: %s', env)
|
||||||
raise InvalidUserToken('Unable to find token in headers')
|
raise InvalidToken('Unable to find token in headers')
|
||||||
|
|
||||||
|
def _get_service_token_from_header(self, env):
|
||||||
|
"""Get service token id from request.
|
||||||
|
|
||||||
|
:param env: wsgi request environment
|
||||||
|
:return service token id or None if not present
|
||||||
|
|
||||||
|
"""
|
||||||
|
return self._get_header(env, 'X-Service-Token')
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def _reject_auth_headers(self):
|
def _reject_auth_headers(self):
|
||||||
@ -729,20 +801,20 @@ class AuthProtocol(object):
|
|||||||
start_response('401 Unauthorized', resp.headers)
|
start_response('401 Unauthorized', resp.headers)
|
||||||
return resp.body
|
return resp.body
|
||||||
|
|
||||||
def _validate_user_token(self, user_token, env, retry=True):
|
def _validate_token(self, token, env, retry=True):
|
||||||
"""Authenticate user token
|
"""Authenticate user token
|
||||||
|
|
||||||
:param user_token: user's token id
|
:param token: token id
|
||||||
:param retry: Ignored, as it is not longer relevant
|
:param retry: Ignored, as it is not longer relevant
|
||||||
:return uncrypted body of the token if the token is valid
|
:return uncrypted body of the token if the token is valid
|
||||||
:raise InvalidUserToken if token is rejected
|
:raise InvalidToken if token is rejected
|
||||||
:no longer raises ServiceError since it no longer makes RPC
|
:no longer raises ServiceError since it no longer makes RPC
|
||||||
|
|
||||||
"""
|
"""
|
||||||
token_id = None
|
token_id = None
|
||||||
|
|
||||||
try:
|
try:
|
||||||
token_ids, cached = self._token_cache.get(user_token)
|
token_ids, cached = self._token_cache.get(token)
|
||||||
token_id = token_ids[0]
|
token_id = token_ids[0]
|
||||||
if cached:
|
if cached:
|
||||||
# Token was retrieved from the cache. In this case, there's no
|
# Token was retrieved from the cache. In this case, there's no
|
||||||
@ -761,22 +833,22 @@ class AuthProtocol(object):
|
|||||||
if is_revoked:
|
if is_revoked:
|
||||||
self._LOG.debug(
|
self._LOG.debug(
|
||||||
'Token is marked as having been revoked')
|
'Token is marked as having been revoked')
|
||||||
raise InvalidUserToken(
|
raise InvalidToken(
|
||||||
'Token authorization failed')
|
'Token authorization failed')
|
||||||
self._confirm_token_bind(data, env)
|
self._confirm_token_bind(data, env)
|
||||||
else:
|
else:
|
||||||
# Token wasn't cached. In this case, the token needs to be
|
# Token wasn't cached. In this case, the token needs to be
|
||||||
# checked that it's not expired, and also put in the cache.
|
# checked that it's not expired, and also put in the cache.
|
||||||
if cms.is_pkiz(user_token):
|
if cms.is_pkiz(token):
|
||||||
verified = self._verify_pkiz_token(user_token, token_ids)
|
verified = self._verify_pkiz_token(token, token_ids)
|
||||||
data = jsonutils.loads(verified)
|
data = jsonutils.loads(verified)
|
||||||
expires = _confirm_token_not_expired(data)
|
expires = _confirm_token_not_expired(data)
|
||||||
elif cms.is_asn1_token(user_token):
|
elif cms.is_asn1_token(token):
|
||||||
verified = self._verify_signed_token(user_token, token_ids)
|
verified = self._verify_signed_token(token, token_ids)
|
||||||
data = jsonutils.loads(verified)
|
data = jsonutils.loads(verified)
|
||||||
expires = _confirm_token_not_expired(data)
|
expires = _confirm_token_not_expired(data)
|
||||||
else:
|
else:
|
||||||
data = self._identity_server.verify_token(user_token,
|
data = self._identity_server.verify_token(token,
|
||||||
retry)
|
retry)
|
||||||
# No need to confirm token expiration here since
|
# No need to confirm token expiration here since
|
||||||
# verify_token fails for expired tokens.
|
# verify_token fails for expired tokens.
|
||||||
@ -787,13 +859,13 @@ class AuthProtocol(object):
|
|||||||
except NetworkError:
|
except NetworkError:
|
||||||
self._LOG.debug('Token validation failure.', exc_info=True)
|
self._LOG.debug('Token validation failure.', exc_info=True)
|
||||||
self._LOG.warn('Authorization failed for token')
|
self._LOG.warn('Authorization failed for token')
|
||||||
raise InvalidUserToken('Token authorization failed')
|
raise InvalidToken('Token authorization failed')
|
||||||
except Exception:
|
except Exception:
|
||||||
self._LOG.debug('Token validation failure.', exc_info=True)
|
self._LOG.debug('Token validation failure.', exc_info=True)
|
||||||
if token_id:
|
if token_id:
|
||||||
self._token_cache.store_invalid(token_id)
|
self._token_cache.store_invalid(token_id)
|
||||||
self._LOG.warn('Authorization failed for token')
|
self._LOG.warn('Authorization failed for token')
|
||||||
raise InvalidUserToken('Token authorization failed')
|
raise InvalidToken('Token authorization failed')
|
||||||
|
|
||||||
def _build_user_headers(self, auth_ref, token_info):
|
def _build_user_headers(self, auth_ref, token_info):
|
||||||
"""Convert token object into headers.
|
"""Convert token object into headers.
|
||||||
@ -801,39 +873,28 @@ class AuthProtocol(object):
|
|||||||
Build headers that represent authenticated user - see main
|
Build headers that represent authenticated user - see main
|
||||||
doc info at start of file for details of headers to be defined.
|
doc info at start of file for details of headers to be defined.
|
||||||
|
|
||||||
:param token_info: token object returned by keystone on authentication
|
:param token_info: token object returned by identity
|
||||||
:raise InvalidUserToken when unable to parse token object
|
server on authentication
|
||||||
|
:raise InvalidToken: when unable to parse token object
|
||||||
|
|
||||||
"""
|
"""
|
||||||
roles = ','.join(auth_ref.role_names)
|
roles = ','.join(auth_ref.role_names)
|
||||||
|
|
||||||
if _token_is_v2(token_info) and not auth_ref.project_id:
|
if _token_is_v2(token_info) and not auth_ref.project_id:
|
||||||
raise InvalidUserToken('Unable to determine tenancy.')
|
raise InvalidToken('Unable to determine tenancy.')
|
||||||
|
|
||||||
rval = {
|
rval = {
|
||||||
'X-Identity-Status': 'Confirmed',
|
'X-Identity-Status': 'Confirmed',
|
||||||
'X-Domain-Id': auth_ref.domain_id,
|
|
||||||
'X-Domain-Name': auth_ref.domain_name,
|
|
||||||
'X-Project-Id': auth_ref.project_id,
|
|
||||||
'X-Project-Name': auth_ref.project_name,
|
|
||||||
'X-Project-Domain-Id': auth_ref.project_domain_id,
|
|
||||||
'X-Project-Domain-Name': auth_ref.project_domain_name,
|
|
||||||
'X-User-Id': auth_ref.user_id,
|
|
||||||
'X-User-Name': auth_ref.username,
|
|
||||||
'X-User-Domain-Id': auth_ref.user_domain_id,
|
|
||||||
'X-User-Domain-Name': auth_ref.user_domain_name,
|
|
||||||
'X-Roles': roles,
|
'X-Roles': roles,
|
||||||
# Deprecated
|
|
||||||
'X-User': auth_ref.username,
|
|
||||||
'X-Tenant-Id': auth_ref.project_id,
|
|
||||||
'X-Tenant-Name': auth_ref.project_name,
|
|
||||||
'X-Tenant': auth_ref.project_name,
|
|
||||||
'X-Role': roles,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
self._LOG.debug('Received request from user: %s with project_id : %s'
|
for header_tmplt, attr in six.iteritems(_HEADER_TEMPLATE):
|
||||||
' and roles: %s ',
|
rval[header_tmplt % ''] = getattr(auth_ref, attr)
|
||||||
auth_ref.user_id, auth_ref.project_id, roles)
|
|
||||||
|
# Deprecated headers
|
||||||
|
rval['X-Role'] = roles
|
||||||
|
for header_tmplt, attr in six.iteritems(_DEPRECATED_HEADER_TEMPLATE):
|
||||||
|
rval[header_tmplt] = getattr(auth_ref, attr)
|
||||||
|
|
||||||
if self._include_service_catalog and auth_ref.has_service_catalog():
|
if self._include_service_catalog and auth_ref.has_service_catalog():
|
||||||
catalog = auth_ref.service_catalog.get_data()
|
catalog = auth_ref.service_catalog.get_data()
|
||||||
@ -843,6 +904,33 @@ class AuthProtocol(object):
|
|||||||
|
|
||||||
return rval
|
return rval
|
||||||
|
|
||||||
|
def _build_service_headers(self, token_info):
|
||||||
|
"""Convert token object into service headers.
|
||||||
|
|
||||||
|
Build headers that represent authenticated user - see main
|
||||||
|
doc info at start of file for details of headers to be defined.
|
||||||
|
|
||||||
|
:param token_info: token object returned by identity
|
||||||
|
server on authentication
|
||||||
|
:raise InvalidToken: when unable to parse token object
|
||||||
|
|
||||||
|
"""
|
||||||
|
auth_ref = access.AccessInfo.factory(body=token_info)
|
||||||
|
|
||||||
|
if _token_is_v2(token_info) and not auth_ref.project_id:
|
||||||
|
raise InvalidToken('Unable to determine service tenancy.')
|
||||||
|
|
||||||
|
roles = ','.join(auth_ref.role_names)
|
||||||
|
rval = {
|
||||||
|
'X-Service-Roles': roles,
|
||||||
|
}
|
||||||
|
|
||||||
|
header_type = '-Service'
|
||||||
|
for header_tmplt, attr in six.iteritems(_HEADER_TEMPLATE):
|
||||||
|
rval[header_tmplt % header_type] = getattr(auth_ref, attr)
|
||||||
|
|
||||||
|
return rval
|
||||||
|
|
||||||
def _header_to_env_var(self, key):
|
def _header_to_env_var(self, key):
|
||||||
"""Convert header to wsgi env variable.
|
"""Convert header to wsgi env variable.
|
||||||
|
|
||||||
@ -877,7 +965,7 @@ class AuthProtocol(object):
|
|||||||
if msg is False:
|
if msg is False:
|
||||||
msg = 'Token authorization failed'
|
msg = 'Token authorization failed'
|
||||||
|
|
||||||
raise InvalidUserToken(msg)
|
raise InvalidToken(msg)
|
||||||
|
|
||||||
def _confirm_token_bind(self, data, env):
|
def _confirm_token_bind(self, data, env):
|
||||||
bind_mode = self._conf_get('enforce_token_bind')
|
bind_mode = self._conf_get('enforce_token_bind')
|
||||||
@ -995,7 +1083,7 @@ class AuthProtocol(object):
|
|||||||
def _verify_signed_token(self, signed_text, token_ids):
|
def _verify_signed_token(self, signed_text, token_ids):
|
||||||
"""Check that the token is unrevoked and has a valid signature."""
|
"""Check that the token is unrevoked and has a valid signature."""
|
||||||
if self._is_signed_token_revoked(token_ids):
|
if self._is_signed_token_revoked(token_ids):
|
||||||
raise InvalidUserToken('Token has been revoked')
|
raise InvalidToken('Token has been revoked')
|
||||||
|
|
||||||
formatted = cms.token_to_cms(signed_text)
|
formatted = cms.token_to_cms(signed_text)
|
||||||
verified = self._cms_verify(formatted)
|
verified = self._cms_verify(formatted)
|
||||||
@ -1003,14 +1091,14 @@ class AuthProtocol(object):
|
|||||||
|
|
||||||
def _verify_pkiz_token(self, signed_text, token_ids):
|
def _verify_pkiz_token(self, signed_text, token_ids):
|
||||||
if self._is_signed_token_revoked(token_ids):
|
if self._is_signed_token_revoked(token_ids):
|
||||||
raise InvalidUserToken('Token has been revoked')
|
raise InvalidToken('Token has been revoked')
|
||||||
try:
|
try:
|
||||||
uncompressed = cms.pkiz_uncompress(signed_text)
|
uncompressed = cms.pkiz_uncompress(signed_text)
|
||||||
verified = self._cms_verify(uncompressed, inform=cms.PKIZ_CMS_FORM)
|
verified = self._cms_verify(uncompressed, inform=cms.PKIZ_CMS_FORM)
|
||||||
return verified
|
return verified
|
||||||
# TypeError If the signed_text is not zlib compressed
|
# TypeError If the signed_text is not zlib compressed
|
||||||
except TypeError:
|
except TypeError:
|
||||||
raise InvalidUserToken(signed_text)
|
raise InvalidToken(signed_text)
|
||||||
|
|
||||||
def _verify_signing_dir(self):
|
def _verify_signing_dir(self):
|
||||||
if os.path.exists(self._signing_dirname):
|
if os.path.exists(self._signing_dirname):
|
||||||
@ -1234,7 +1322,7 @@ class _IdentityServer(object):
|
|||||||
user authentication when an indeterminate
|
user authentication when an indeterminate
|
||||||
response is received. Optional.
|
response is received. Optional.
|
||||||
:return: token object received from keystone on success
|
:return: token object received from keystone on success
|
||||||
:raise InvalidUserToken: if token is rejected
|
:raise InvalidToken: if token is rejected
|
||||||
:raise ServiceError: if unable to authenticate token
|
:raise ServiceError: if unable to authenticate token
|
||||||
|
|
||||||
"""
|
"""
|
||||||
@ -1278,7 +1366,7 @@ class _IdentityServer(object):
|
|||||||
if response.status_code == 200:
|
if response.status_code == 200:
|
||||||
return data
|
return data
|
||||||
|
|
||||||
raise InvalidUserToken()
|
raise InvalidToken()
|
||||||
|
|
||||||
def fetch_revocation_list(self):
|
def fetch_revocation_list(self):
|
||||||
try:
|
try:
|
||||||
@ -1490,7 +1578,7 @@ class _TokenCache(object):
|
|||||||
The second element is the token data from the cache if the token was
|
The second element is the token data from the cache if the token was
|
||||||
cached, otherwise ``None``.
|
cached, otherwise ``None``.
|
||||||
|
|
||||||
:raises InvalidUserToken: if the token is invalid
|
:raises InvalidToken: if the token is invalid
|
||||||
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
@ -1541,7 +1629,7 @@ class _TokenCache(object):
|
|||||||
def _cache_get(self, token_id):
|
def _cache_get(self, token_id):
|
||||||
"""Return token information from cache.
|
"""Return token information from cache.
|
||||||
|
|
||||||
If token is invalid raise InvalidUserToken
|
If token is invalid raise InvalidToken
|
||||||
return token only if fresh (not expired).
|
return token only if fresh (not expired).
|
||||||
"""
|
"""
|
||||||
|
|
||||||
@ -1590,7 +1678,7 @@ class _TokenCache(object):
|
|||||||
cached = jsonutils.loads(serialized)
|
cached = jsonutils.loads(serialized)
|
||||||
if cached == self._INVALID_INDICATOR:
|
if cached == self._INVALID_INDICATOR:
|
||||||
self._LOG.debug('Cached Token is marked unauthorized')
|
self._LOG.debug('Cached Token is marked unauthorized')
|
||||||
raise InvalidUserToken('Token authorization failed')
|
raise InvalidToken('Token authorization failed')
|
||||||
|
|
||||||
data, expires = cached
|
data, expires = cached
|
||||||
|
|
||||||
@ -1609,7 +1697,7 @@ class _TokenCache(object):
|
|||||||
return data
|
return data
|
||||||
else:
|
else:
|
||||||
self._LOG.debug('Cached Token seems expired')
|
self._LOG.debug('Cached Token seems expired')
|
||||||
raise InvalidUserToken('Token authorization failed')
|
raise InvalidToken('Token authorization failed')
|
||||||
|
|
||||||
def _cache_store(self, token_id, data):
|
def _cache_store(self, token_id, data):
|
||||||
"""Store value into memcache.
|
"""Store value into memcache.
|
||||||
|
@ -127,6 +127,9 @@ class Examples(fixtures.Fixture):
|
|||||||
self.v3_UUID_TOKEN_BIND = '2f61f73e1c854cbb9534c487f9bd63c2'
|
self.v3_UUID_TOKEN_BIND = '2f61f73e1c854cbb9534c487f9bd63c2'
|
||||||
self.v3_UUID_TOKEN_UNKNOWN_BIND = '7ed9781b62cd4880b8d8c6788ab1d1e2'
|
self.v3_UUID_TOKEN_UNKNOWN_BIND = '7ed9781b62cd4880b8d8c6788ab1d1e2'
|
||||||
|
|
||||||
|
self.UUID_SERVICE_TOKEN_DEFAULT = 'fe4c0710ec2f492748596c1b53ab124'
|
||||||
|
self.v3_UUID_SERVICE_TOKEN_DEFAULT = 'g431071bbc2f492748596c1b53cb229'
|
||||||
|
|
||||||
revoked_token = self.REVOKED_TOKEN
|
revoked_token = self.REVOKED_TOKEN
|
||||||
if isinstance(revoked_token, six.text_type):
|
if isinstance(revoked_token, six.text_type):
|
||||||
revoked_token = revoked_token.encode('utf-8')
|
revoked_token = revoked_token.encode('utf-8')
|
||||||
@ -235,6 +238,15 @@ class Examples(fixtures.Fixture):
|
|||||||
ROLE_NAME1 = 'role1'
|
ROLE_NAME1 = 'role1'
|
||||||
ROLE_NAME2 = 'role2'
|
ROLE_NAME2 = 'role2'
|
||||||
|
|
||||||
|
SERVICE_PROJECT_ID = 'service_project_id1'
|
||||||
|
SERVICE_PROJECT_NAME = 'service_project_name1'
|
||||||
|
SERVICE_USER_ID = 'service_user_id1'
|
||||||
|
SERVICE_USER_NAME = 'service_user_name1'
|
||||||
|
SERVICE_DOMAIN_ID = 'service_domain_id1'
|
||||||
|
SERVICE_DOMAIN_NAME = 'service_domain_name1'
|
||||||
|
SERVICE_ROLE_NAME1 = 'service_role1'
|
||||||
|
SERVICE_ROLE_NAME2 = 'service_role2'
|
||||||
|
|
||||||
self.SERVICE_TYPE = 'identity'
|
self.SERVICE_TYPE = 'identity'
|
||||||
self.UNVERSIONED_SERVICE_URL = 'http://keystone.server:5000/'
|
self.UNVERSIONED_SERVICE_URL = 'http://keystone.server:5000/'
|
||||||
self.SERVICE_URL = self.UNVERSIONED_SERVICE_URL + 'v2.0'
|
self.SERVICE_URL = self.UNVERSIONED_SERVICE_URL + 'v2.0'
|
||||||
@ -320,6 +332,17 @@ class Examples(fixtures.Fixture):
|
|||||||
token['access']['token']['bind'] = {'FOO': 'BAR'}
|
token['access']['token']['bind'] = {'FOO': 'BAR'}
|
||||||
self.TOKEN_RESPONSES[self.UUID_TOKEN_UNKNOWN_BIND] = token
|
self.TOKEN_RESPONSES[self.UUID_TOKEN_UNKNOWN_BIND] = token
|
||||||
|
|
||||||
|
token = fixture.V2Token(token_id=self.UUID_SERVICE_TOKEN_DEFAULT,
|
||||||
|
tenant_id=SERVICE_PROJECT_ID,
|
||||||
|
tenant_name=SERVICE_PROJECT_NAME,
|
||||||
|
user_id=SERVICE_USER_ID,
|
||||||
|
user_name=SERVICE_USER_NAME)
|
||||||
|
token.add_role(name=SERVICE_ROLE_NAME1)
|
||||||
|
token.add_role(name=SERVICE_ROLE_NAME2)
|
||||||
|
svc = token.add_service(self.SERVICE_TYPE)
|
||||||
|
svc.add_endpoint(public=self.SERVICE_URL)
|
||||||
|
self.TOKEN_RESPONSES[self.UUID_SERVICE_TOKEN_DEFAULT] = token
|
||||||
|
|
||||||
# Generated V3 Tokens
|
# Generated V3 Tokens
|
||||||
|
|
||||||
token = fixture.V3Token(user_id=USER_ID,
|
token = fixture.V3Token(user_id=USER_ID,
|
||||||
@ -398,6 +421,22 @@ class Examples(fixtures.Fixture):
|
|||||||
token['token']['bind'] = {'FOO': 'BAR'}
|
token['token']['bind'] = {'FOO': 'BAR'}
|
||||||
self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_UNKNOWN_BIND] = token
|
self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_UNKNOWN_BIND] = token
|
||||||
|
|
||||||
|
token = fixture.V3Token(user_id=SERVICE_USER_ID,
|
||||||
|
user_name=SERVICE_USER_NAME,
|
||||||
|
user_domain_id=SERVICE_DOMAIN_ID,
|
||||||
|
user_domain_name=SERVICE_DOMAIN_NAME,
|
||||||
|
project_id=SERVICE_PROJECT_ID,
|
||||||
|
project_name=SERVICE_PROJECT_NAME,
|
||||||
|
project_domain_id=SERVICE_DOMAIN_ID,
|
||||||
|
project_domain_name=SERVICE_DOMAIN_NAME)
|
||||||
|
token.add_role(id=SERVICE_ROLE_NAME1,
|
||||||
|
name=SERVICE_ROLE_NAME1)
|
||||||
|
token.add_role(id=SERVICE_ROLE_NAME2,
|
||||||
|
name=SERVICE_ROLE_NAME2)
|
||||||
|
svc = token.add_service(self.SERVICE_TYPE)
|
||||||
|
svc.add_endpoint('public', self.SERVICE_URL)
|
||||||
|
self.TOKEN_RESPONSES[self.v3_UUID_SERVICE_TOKEN_DEFAULT] = token
|
||||||
|
|
||||||
# PKIZ tokens generally link to above tokens
|
# PKIZ tokens generally link to above tokens
|
||||||
|
|
||||||
self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_PKIZ_KEY] = (
|
self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_PKIZ_KEY] = (
|
||||||
|
@ -17,7 +17,6 @@ import datetime
|
|||||||
import json
|
import json
|
||||||
import os
|
import os
|
||||||
import shutil
|
import shutil
|
||||||
import six
|
|
||||||
import stat
|
import stat
|
||||||
import tempfile
|
import tempfile
|
||||||
import time
|
import time
|
||||||
@ -32,6 +31,7 @@ from keystoneclient import exceptions
|
|||||||
from keystoneclient import fixture
|
from keystoneclient import fixture
|
||||||
from keystoneclient import session
|
from keystoneclient import session
|
||||||
import mock
|
import mock
|
||||||
|
import six
|
||||||
import testresources
|
import testresources
|
||||||
import testtools
|
import testtools
|
||||||
from testtools import matchers
|
from testtools import matchers
|
||||||
@ -58,6 +58,28 @@ EXPECTED_V2_DEFAULT_ENV_RESPONSE = {
|
|||||||
'HTTP_X_ROLE': 'role1,role2', # deprecated (diablo-compat)
|
'HTTP_X_ROLE': 'role1,role2', # deprecated (diablo-compat)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE = {
|
||||||
|
'HTTP_X_SERVICE_PROJECT_ID': 'service_project_id1',
|
||||||
|
'HTTP_X_SERVICE_PROJECT_NAME': 'service_project_name1',
|
||||||
|
'HTTP_X_SERVICE_USER_ID': 'service_user_id1',
|
||||||
|
'HTTP_X_SERVICE_USER_NAME': 'service_user_name1',
|
||||||
|
'HTTP_X_SERVICE_ROLES': 'service_role1,service_role2',
|
||||||
|
}
|
||||||
|
|
||||||
|
EXPECTED_V3_DEFAULT_ENV_ADDITIONS = {
|
||||||
|
'HTTP_X_PROJECT_DOMAIN_ID': 'domain_id1',
|
||||||
|
'HTTP_X_PROJECT_DOMAIN_NAME': 'domain_name1',
|
||||||
|
'HTTP_X_USER_DOMAIN_ID': 'domain_id1',
|
||||||
|
'HTTP_X_USER_DOMAIN_NAME': 'domain_name1',
|
||||||
|
}
|
||||||
|
|
||||||
|
EXPECTED_V3_DEFAULT_SERVICE_ENV_ADDITIONS = {
|
||||||
|
'HTTP_X_SERVICE_PROJECT_DOMAIN_ID': 'service_domain_id1',
|
||||||
|
'HTTP_X_SERVICE_PROJECT_DOMAIN_NAME': 'service_domain_name1',
|
||||||
|
'HTTP_X_SERVICE_USER_DOMAIN_ID': 'service_domain_id1',
|
||||||
|
'HTTP_X_SERVICE_USER_DOMAIN_NAME': 'service_domain_name1'
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
BASE_HOST = 'https://keystone.example.com:1234'
|
BASE_HOST = 'https://keystone.example.com:1234'
|
||||||
BASE_URI = '%s/testadmin' % BASE_HOST
|
BASE_URI = '%s/testadmin' % BASE_HOST
|
||||||
@ -167,41 +189,86 @@ class FakeApp(object):
|
|||||||
"""This represents a WSGI app protected by the auth_token middleware."""
|
"""This represents a WSGI app protected by the auth_token middleware."""
|
||||||
|
|
||||||
SUCCESS = b'SUCCESS'
|
SUCCESS = b'SUCCESS'
|
||||||
|
FORBIDDEN = b'FORBIDDEN'
|
||||||
|
expected_env = {}
|
||||||
|
|
||||||
def __init__(self, expected_env=None):
|
def __init__(self, expected_env=None, need_service_token=False):
|
||||||
self.expected_env = dict(EXPECTED_V2_DEFAULT_ENV_RESPONSE)
|
self.expected_env = dict(EXPECTED_V2_DEFAULT_ENV_RESPONSE)
|
||||||
|
|
||||||
if expected_env:
|
if expected_env:
|
||||||
self.expected_env.update(expected_env)
|
self.expected_env.update(expected_env)
|
||||||
|
|
||||||
|
self.need_service_token = need_service_token
|
||||||
|
|
||||||
def __call__(self, env, start_response):
|
def __call__(self, env, start_response):
|
||||||
for k, v in self.expected_env.items():
|
for k, v in self.expected_env.items():
|
||||||
assert env[k] == v, '%s != %s' % (env[k], v)
|
assert env[k] == v, '%s != %s' % (env[k], v)
|
||||||
|
|
||||||
resp = webob.Response()
|
resp = webob.Response()
|
||||||
|
|
||||||
|
if env['HTTP_X_IDENTITY_STATUS'] == 'Invalid':
|
||||||
|
# Simulate delayed auth forbidding access
|
||||||
|
resp.status = 403
|
||||||
|
resp.body = FakeApp.FORBIDDEN
|
||||||
|
elif (self.need_service_token is True and
|
||||||
|
env.get('HTTP_X_SERVICE_TOKEN') is None):
|
||||||
|
# Simulate requiring composite auth
|
||||||
|
# Arbitrary value to allow checking this code path
|
||||||
|
resp.status = 418
|
||||||
|
resp.body = FakeApp.FORBIDDEN
|
||||||
|
else:
|
||||||
resp.body = FakeApp.SUCCESS
|
resp.body = FakeApp.SUCCESS
|
||||||
|
|
||||||
return resp(env, start_response)
|
return resp(env, start_response)
|
||||||
|
|
||||||
|
|
||||||
class v3FakeApp(FakeApp):
|
class v3FakeApp(FakeApp):
|
||||||
"""This represents a v3 WSGI app protected by the auth_token middleware."""
|
"""This represents a v3 WSGI app protected by the auth_token middleware."""
|
||||||
|
|
||||||
def __init__(self, expected_env=None):
|
def __init__(self, expected_env=None, need_service_token=False):
|
||||||
|
|
||||||
# with v3 additions, these are for the DEFAULT TOKEN
|
# with v3 additions, these are for the DEFAULT TOKEN
|
||||||
v3_default_env_additions = {
|
v3_default_env_additions = dict(EXPECTED_V3_DEFAULT_ENV_ADDITIONS)
|
||||||
'HTTP_X_PROJECT_ID': 'tenant_id1',
|
|
||||||
'HTTP_X_PROJECT_NAME': 'tenant_name1',
|
|
||||||
'HTTP_X_PROJECT_DOMAIN_ID': 'domain_id1',
|
|
||||||
'HTTP_X_PROJECT_DOMAIN_NAME': 'domain_name1',
|
|
||||||
'HTTP_X_USER_DOMAIN_ID': 'domain_id1',
|
|
||||||
'HTTP_X_USER_DOMAIN_NAME': 'domain_name1'
|
|
||||||
}
|
|
||||||
|
|
||||||
if expected_env:
|
if expected_env:
|
||||||
v3_default_env_additions.update(expected_env)
|
v3_default_env_additions.update(expected_env)
|
||||||
|
super(v3FakeApp, self).__init__(expected_env=v3_default_env_additions,
|
||||||
|
need_service_token=need_service_token)
|
||||||
|
|
||||||
super(v3FakeApp, self).__init__(v3_default_env_additions)
|
|
||||||
|
class CompositeBase(object):
|
||||||
|
"""Base composite auth object with common service token environment."""
|
||||||
|
|
||||||
|
def __init__(self, expected_env=None):
|
||||||
|
comp_expected_env = dict(EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE)
|
||||||
|
|
||||||
|
if expected_env:
|
||||||
|
comp_expected_env.update(expected_env)
|
||||||
|
|
||||||
|
super(CompositeBase, self).__init__(
|
||||||
|
expected_env=comp_expected_env, need_service_token=True)
|
||||||
|
|
||||||
|
|
||||||
|
class CompositeFakeApp(CompositeBase, FakeApp):
|
||||||
|
"""A fake v2 WSGI app protected by composite auth_token middleware."""
|
||||||
|
|
||||||
|
def __init__(self, expected_env):
|
||||||
|
super(CompositeFakeApp, self).__init__(expected_env=expected_env)
|
||||||
|
|
||||||
|
|
||||||
|
class v3CompositeFakeApp(CompositeBase, v3FakeApp):
|
||||||
|
"""A fake v3 WSGI app protected by composite auth_token middleware."""
|
||||||
|
|
||||||
|
def __init__(self, expected_env=None):
|
||||||
|
|
||||||
|
# with v3 additions, these are for the DEFAULT SERVICE TOKEN
|
||||||
|
v3_default_service_env_additions = dict(
|
||||||
|
EXPECTED_V3_DEFAULT_SERVICE_ENV_ADDITIONS)
|
||||||
|
|
||||||
|
if expected_env:
|
||||||
|
v3_default_service_env_additions.update(expected_env)
|
||||||
|
|
||||||
|
super(v3CompositeFakeApp, self).__init__(
|
||||||
|
v3_default_service_env_additions)
|
||||||
|
|
||||||
|
|
||||||
def new_app(status, body, headers={}):
|
def new_app(status, body, headers={}):
|
||||||
@ -281,6 +348,17 @@ class BaseAuthTokenMiddlewareTest(testtools.TestCase):
|
|||||||
self.middleware._token_revocation_list = jsonutils.dumps(
|
self.middleware._token_revocation_list = jsonutils.dumps(
|
||||||
{"revoked": [], "extra": "success"})
|
{"revoked": [], "extra": "success"})
|
||||||
|
|
||||||
|
def update_expected_env(self, expected_env={}):
|
||||||
|
self.middleware._app.expected_env.update(expected_env)
|
||||||
|
|
||||||
|
def purge_token_expected_env(self):
|
||||||
|
for key in six.iterkeys(self.token_expected_env):
|
||||||
|
del self.middleware._app.expected_env[key]
|
||||||
|
|
||||||
|
def purge_service_token_expected_env(self):
|
||||||
|
for key in six.iterkeys(self.service_token_expected_env):
|
||||||
|
del self.middleware._app.expected_env[key]
|
||||||
|
|
||||||
def start_fake_response(self, status, headers, exc_info=None):
|
def start_fake_response(self, status, headers, exc_info=None):
|
||||||
self.response_status = int(status.split(' ', 1)[0])
|
self.response_status = int(status.split(' ', 1)[0])
|
||||||
self.response_headers = dict(headers)
|
self.response_headers = dict(headers)
|
||||||
@ -778,7 +856,7 @@ class CommonAuthTokenMiddlewareTest(object):
|
|||||||
def test_verify_signed_token_raises_exception_for_revoked_token(self):
|
def test_verify_signed_token_raises_exception_for_revoked_token(self):
|
||||||
self.middleware._token_revocation_list = (
|
self.middleware._token_revocation_list = (
|
||||||
self.get_revocation_list_json())
|
self.get_revocation_list_json())
|
||||||
self.assertRaises(auth_token.InvalidUserToken,
|
self.assertRaises(auth_token.InvalidToken,
|
||||||
self.middleware._verify_signed_token,
|
self.middleware._verify_signed_token,
|
||||||
self.token_dict['revoked_token'],
|
self.token_dict['revoked_token'],
|
||||||
[self.token_dict['revoked_token_hash']])
|
[self.token_dict['revoked_token_hash']])
|
||||||
@ -788,7 +866,7 @@ class CommonAuthTokenMiddlewareTest(object):
|
|||||||
self.set_middleware()
|
self.set_middleware()
|
||||||
self.middleware._token_revocation_list = (
|
self.middleware._token_revocation_list = (
|
||||||
self.get_revocation_list_json(mode='sha256'))
|
self.get_revocation_list_json(mode='sha256'))
|
||||||
self.assertRaises(auth_token.InvalidUserToken,
|
self.assertRaises(auth_token.InvalidToken,
|
||||||
self.middleware._verify_signed_token,
|
self.middleware._verify_signed_token,
|
||||||
self.token_dict['revoked_token'],
|
self.token_dict['revoked_token'],
|
||||||
[self.token_dict['revoked_token_hash_sha256'],
|
[self.token_dict['revoked_token_hash_sha256'],
|
||||||
@ -797,7 +875,7 @@ class CommonAuthTokenMiddlewareTest(object):
|
|||||||
def test_verify_signed_token_raises_exception_for_revoked_pkiz_token(self):
|
def test_verify_signed_token_raises_exception_for_revoked_pkiz_token(self):
|
||||||
self.middleware._token_revocation_list = (
|
self.middleware._token_revocation_list = (
|
||||||
self.examples.REVOKED_TOKEN_PKIZ_LIST_JSON)
|
self.examples.REVOKED_TOKEN_PKIZ_LIST_JSON)
|
||||||
self.assertRaises(auth_token.InvalidUserToken,
|
self.assertRaises(auth_token.InvalidToken,
|
||||||
self.middleware._verify_pkiz_token,
|
self.middleware._verify_pkiz_token,
|
||||||
self.token_dict['revoked_token_pkiz'],
|
self.token_dict['revoked_token_pkiz'],
|
||||||
[self.token_dict['revoked_token_pkiz_hash']])
|
[self.token_dict['revoked_token_pkiz_hash']])
|
||||||
@ -960,7 +1038,7 @@ class CommonAuthTokenMiddlewareTest(object):
|
|||||||
|
|
||||||
self.middleware._LOG = FakeLog()
|
self.middleware._LOG = FakeLog()
|
||||||
self.middleware._delay_auth_decision = False
|
self.middleware._delay_auth_decision = False
|
||||||
self.assertRaises(auth_token.InvalidUserToken,
|
self.assertRaises(auth_token.InvalidToken,
|
||||||
self.middleware._get_user_token_from_header, {})
|
self.middleware._get_user_token_from_header, {})
|
||||||
self.assertIsNotNone(self.middleware._LOG.msg)
|
self.assertIsNotNone(self.middleware._LOG.msg)
|
||||||
self.assertIsNotNone(self.middleware._LOG.debugmsg)
|
self.assertIsNotNone(self.middleware._LOG.debugmsg)
|
||||||
@ -1012,7 +1090,7 @@ class CommonAuthTokenMiddlewareTest(object):
|
|||||||
token = 'invalid-token'
|
token = 'invalid-token'
|
||||||
req.headers['X-Auth-Token'] = token
|
req.headers['X-Auth-Token'] = token
|
||||||
self.middleware(req.environ, self.start_fake_response)
|
self.middleware(req.environ, self.start_fake_response)
|
||||||
self.assertRaises(auth_token.InvalidUserToken,
|
self.assertRaises(auth_token.InvalidToken,
|
||||||
self._get_cached_token, token)
|
self._get_cached_token, token)
|
||||||
|
|
||||||
def _test_memcache_set_invalid_signed(self, hash_algorithms=None,
|
def _test_memcache_set_invalid_signed(self, hash_algorithms=None,
|
||||||
@ -1024,7 +1102,7 @@ class CommonAuthTokenMiddlewareTest(object):
|
|||||||
self.conf['hash_algorithms'] = hash_algorithms
|
self.conf['hash_algorithms'] = hash_algorithms
|
||||||
self.set_middleware()
|
self.set_middleware()
|
||||||
self.middleware(req.environ, self.start_fake_response)
|
self.middleware(req.environ, self.start_fake_response)
|
||||||
self.assertRaises(auth_token.InvalidUserToken,
|
self.assertRaises(auth_token.InvalidToken,
|
||||||
self._get_cached_token, token, mode=exp_mode)
|
self._get_cached_token, token, mode=exp_mode)
|
||||||
|
|
||||||
def test_memcache_set_invalid_signed(self):
|
def test_memcache_set_invalid_signed(self):
|
||||||
@ -1876,13 +1954,13 @@ class TokenExpirationTest(BaseAuthTokenMiddlewareTest):
|
|||||||
|
|
||||||
def test_no_data(self):
|
def test_no_data(self):
|
||||||
data = {}
|
data = {}
|
||||||
self.assertRaises(auth_token.InvalidUserToken,
|
self.assertRaises(auth_token.InvalidToken,
|
||||||
auth_token._confirm_token_not_expired,
|
auth_token._confirm_token_not_expired,
|
||||||
data)
|
data)
|
||||||
|
|
||||||
def test_bad_data(self):
|
def test_bad_data(self):
|
||||||
data = {'my_happy_token_dict': 'woo'}
|
data = {'my_happy_token_dict': 'woo'}
|
||||||
self.assertRaises(auth_token.InvalidUserToken,
|
self.assertRaises(auth_token.InvalidToken,
|
||||||
auth_token._confirm_token_not_expired,
|
auth_token._confirm_token_not_expired,
|
||||||
data)
|
data)
|
||||||
|
|
||||||
@ -1894,7 +1972,7 @@ class TokenExpirationTest(BaseAuthTokenMiddlewareTest):
|
|||||||
|
|
||||||
def test_v2_token_expired(self):
|
def test_v2_token_expired(self):
|
||||||
data = self.create_v2_token_fixture(expires=self.one_hour_ago)
|
data = self.create_v2_token_fixture(expires=self.one_hour_ago)
|
||||||
self.assertRaises(auth_token.InvalidUserToken,
|
self.assertRaises(auth_token.InvalidToken,
|
||||||
auth_token._confirm_token_not_expired,
|
auth_token._confirm_token_not_expired,
|
||||||
data)
|
data)
|
||||||
|
|
||||||
@ -1917,7 +1995,7 @@ class TokenExpirationTest(BaseAuthTokenMiddlewareTest):
|
|||||||
data = self.create_v2_token_fixture(
|
data = self.create_v2_token_fixture(
|
||||||
expires='2000-01-01T00:05:10.000123+05:00')
|
expires='2000-01-01T00:05:10.000123+05:00')
|
||||||
data['access']['token']['expires'] = '2000-01-01T00:05:10.000123+05:00'
|
data['access']['token']['expires'] = '2000-01-01T00:05:10.000123+05:00'
|
||||||
self.assertRaises(auth_token.InvalidUserToken,
|
self.assertRaises(auth_token.InvalidToken,
|
||||||
auth_token._confirm_token_not_expired,
|
auth_token._confirm_token_not_expired,
|
||||||
data)
|
data)
|
||||||
|
|
||||||
@ -1929,7 +2007,7 @@ class TokenExpirationTest(BaseAuthTokenMiddlewareTest):
|
|||||||
|
|
||||||
def test_v3_token_expired(self):
|
def test_v3_token_expired(self):
|
||||||
data = self.create_v3_token_fixture(expires=self.one_hour_ago)
|
data = self.create_v3_token_fixture(expires=self.one_hour_ago)
|
||||||
self.assertRaises(auth_token.InvalidUserToken,
|
self.assertRaises(auth_token.InvalidToken,
|
||||||
auth_token._confirm_token_not_expired,
|
auth_token._confirm_token_not_expired,
|
||||||
data)
|
data)
|
||||||
|
|
||||||
@ -1952,7 +2030,7 @@ class TokenExpirationTest(BaseAuthTokenMiddlewareTest):
|
|||||||
mock_utcnow.return_value = current_time
|
mock_utcnow.return_value = current_time
|
||||||
data = self.create_v3_token_fixture(
|
data = self.create_v3_token_fixture(
|
||||||
expires='2000-01-01T00:05:10.000123+05:00')
|
expires='2000-01-01T00:05:10.000123+05:00')
|
||||||
self.assertRaises(auth_token.InvalidUserToken,
|
self.assertRaises(auth_token.InvalidToken,
|
||||||
auth_token._confirm_token_not_expired,
|
auth_token._confirm_token_not_expired,
|
||||||
data)
|
data)
|
||||||
|
|
||||||
@ -1993,7 +2071,7 @@ class TokenExpirationTest(BaseAuthTokenMiddlewareTest):
|
|||||||
expires = some_time_earlier
|
expires = some_time_earlier
|
||||||
self.middleware._token_cache.store(token, data, expires)
|
self.middleware._token_cache.store(token, data, expires)
|
||||||
self.assertThat(lambda: self.middleware._token_cache._cache_get(token),
|
self.assertThat(lambda: self.middleware._token_cache._cache_get(token),
|
||||||
matchers.raises(auth_token.InvalidUserToken))
|
matchers.raises(auth_token.InvalidToken))
|
||||||
|
|
||||||
def test_cached_token_with_timezone_offset_not_expired(self):
|
def test_cached_token_with_timezone_offset_not_expired(self):
|
||||||
token = 'mytoken'
|
token = 'mytoken'
|
||||||
@ -2016,7 +2094,7 @@ class TokenExpirationTest(BaseAuthTokenMiddlewareTest):
|
|||||||
expires = timeutils.strtime(some_time_earlier) + '-02:00'
|
expires = timeutils.strtime(some_time_earlier) + '-02:00'
|
||||||
self.middleware._token_cache.store(token, data, expires)
|
self.middleware._token_cache.store(token, data, expires)
|
||||||
self.assertThat(lambda: self.middleware._token_cache._cache_get(token),
|
self.assertThat(lambda: self.middleware._token_cache._cache_get(token),
|
||||||
matchers.raises(auth_token.InvalidUserToken))
|
matchers.raises(auth_token.InvalidToken))
|
||||||
|
|
||||||
|
|
||||||
class CatalogConversionTests(BaseAuthTokenMiddlewareTest):
|
class CatalogConversionTests(BaseAuthTokenMiddlewareTest):
|
||||||
@ -2102,5 +2180,282 @@ class DelayedAuthTests(BaseAuthTokenMiddlewareTest):
|
|||||||
self.response_headers['WWW-Authenticate'])
|
self.response_headers['WWW-Authenticate'])
|
||||||
|
|
||||||
|
|
||||||
|
class CommonCompositeAuthTests(object):
|
||||||
|
"""Test Composite authentication.
|
||||||
|
|
||||||
|
Test the behaviour of adding a service-token.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def test_composite_auth_ok(self):
|
||||||
|
req = webob.Request.blank('/')
|
||||||
|
token = self.token_dict['uuid_token_default']
|
||||||
|
service_token = self.token_dict['uuid_service_token_default']
|
||||||
|
req.headers['X-Auth-Token'] = token
|
||||||
|
req.headers['X-Service-Token'] = service_token
|
||||||
|
body = self.middleware(req.environ, self.start_fake_response)
|
||||||
|
self.assertEqual(200, self.response_status)
|
||||||
|
self.assertEqual([FakeApp.SUCCESS], body)
|
||||||
|
|
||||||
|
def test_composite_auth_invalid_service_token(self):
|
||||||
|
req = webob.Request.blank('/')
|
||||||
|
token = self.token_dict['uuid_token_default']
|
||||||
|
service_token = 'invalid-service-token'
|
||||||
|
req.headers['X-Auth-Token'] = token
|
||||||
|
req.headers['X-Service-Token'] = service_token
|
||||||
|
body = self.middleware(req.environ, self.start_fake_response)
|
||||||
|
self.assertEqual(401, self.response_status)
|
||||||
|
self.assertEqual(['Authentication required'], body)
|
||||||
|
|
||||||
|
def test_composite_auth_no_service_token(self):
|
||||||
|
self.purge_service_token_expected_env()
|
||||||
|
req = webob.Request.blank('/')
|
||||||
|
token = self.token_dict['uuid_token_default']
|
||||||
|
req.headers['X-Auth-Token'] = token
|
||||||
|
|
||||||
|
# Ensure injection of service headers is not possible
|
||||||
|
for key, value in six.iteritems(self.service_token_expected_env):
|
||||||
|
header_key = key[len('HTTP_'):].replace('_', '-')
|
||||||
|
req.headers[header_key] = value
|
||||||
|
# Check arbitrary headers not removed
|
||||||
|
req.headers['X-Foo'] = 'Bar'
|
||||||
|
body = self.middleware(req.environ, self.start_fake_response)
|
||||||
|
for key in six.iterkeys(self.service_token_expected_env):
|
||||||
|
self.assertFalse(req.headers.get(key))
|
||||||
|
self.assertEqual('Bar', req.headers.get('X-Foo'))
|
||||||
|
self.assertEqual(418, self.response_status)
|
||||||
|
self.assertEqual([FakeApp.FORBIDDEN], body)
|
||||||
|
|
||||||
|
def test_composite_auth_invalid_user_token(self):
|
||||||
|
req = webob.Request.blank('/')
|
||||||
|
token = 'invalid-token'
|
||||||
|
service_token = self.token_dict['uuid_service_token_default']
|
||||||
|
req.headers['X-Auth-Token'] = token
|
||||||
|
req.headers['X-Service-Token'] = service_token
|
||||||
|
body = self.middleware(req.environ, self.start_fake_response)
|
||||||
|
self.assertEqual(401, self.response_status)
|
||||||
|
self.assertEqual(['Authentication required'], body)
|
||||||
|
|
||||||
|
def test_composite_auth_no_user_token(self):
|
||||||
|
req = webob.Request.blank('/')
|
||||||
|
service_token = self.token_dict['uuid_service_token_default']
|
||||||
|
req.headers['X-Service-Token'] = service_token
|
||||||
|
body = self.middleware(req.environ, self.start_fake_response)
|
||||||
|
self.assertEqual(401, self.response_status)
|
||||||
|
self.assertEqual(['Authentication required'], body)
|
||||||
|
|
||||||
|
def test_composite_auth_delay_ok(self):
|
||||||
|
self.middleware._delay_auth_decision = True
|
||||||
|
req = webob.Request.blank('/')
|
||||||
|
token = self.token_dict['uuid_token_default']
|
||||||
|
service_token = self.token_dict['uuid_service_token_default']
|
||||||
|
req.headers['X-Auth-Token'] = token
|
||||||
|
req.headers['X-Service-Token'] = service_token
|
||||||
|
body = self.middleware(req.environ, self.start_fake_response)
|
||||||
|
self.assertEqual(200, self.response_status)
|
||||||
|
self.assertEqual([FakeApp.SUCCESS], body)
|
||||||
|
|
||||||
|
def test_composite_auth_delay_invalid_service_token(self):
|
||||||
|
self.middleware._delay_auth_decision = True
|
||||||
|
req = webob.Request.blank('/')
|
||||||
|
token = self.token_dict['uuid_token_default']
|
||||||
|
service_token = 'invalid-service-token'
|
||||||
|
req.headers['X-Auth-Token'] = token
|
||||||
|
req.headers['X-Service-Token'] = service_token
|
||||||
|
body = self.middleware(req.environ, self.start_fake_response)
|
||||||
|
self.assertEqual(401, self.response_status)
|
||||||
|
self.assertEqual(['Authentication required'], body)
|
||||||
|
|
||||||
|
def test_composite_auth_delay_no_service_token(self):
|
||||||
|
self.middleware._delay_auth_decision = True
|
||||||
|
self.purge_service_token_expected_env()
|
||||||
|
|
||||||
|
req = webob.Request.blank('/')
|
||||||
|
token = self.token_dict['uuid_token_default']
|
||||||
|
req.headers['X-Auth-Token'] = token
|
||||||
|
|
||||||
|
# Ensure injection of service headers is not possible
|
||||||
|
for key, value in six.iteritems(self.service_token_expected_env):
|
||||||
|
header_key = key[len('HTTP_'):].replace('_', '-')
|
||||||
|
req.headers[header_key] = value
|
||||||
|
# Check arbitrary headers not removed
|
||||||
|
req.headers['X-Foo'] = 'Bar'
|
||||||
|
body = self.middleware(req.environ, self.start_fake_response)
|
||||||
|
for key in six.iterkeys(self.service_token_expected_env):
|
||||||
|
self.assertFalse(req.headers.get(key))
|
||||||
|
self.assertEqual('Bar', req.headers.get('X-Foo'))
|
||||||
|
self.assertEqual(418, self.response_status)
|
||||||
|
self.assertEqual([FakeApp.FORBIDDEN], body)
|
||||||
|
|
||||||
|
def test_composite_auth_delay_invalid_user_token(self):
|
||||||
|
self.middleware._delay_auth_decision = True
|
||||||
|
self.purge_token_expected_env()
|
||||||
|
expected_env = {
|
||||||
|
'HTTP_X_IDENTITY_STATUS': 'Invalid',
|
||||||
|
}
|
||||||
|
self.update_expected_env(expected_env)
|
||||||
|
|
||||||
|
req = webob.Request.blank('/')
|
||||||
|
token = 'invalid-token'
|
||||||
|
service_token = self.token_dict['uuid_service_token_default']
|
||||||
|
req.headers['X-Auth-Token'] = token
|
||||||
|
req.headers['X-Service-Token'] = service_token
|
||||||
|
body = self.middleware(req.environ, self.start_fake_response)
|
||||||
|
self.assertEqual(403, self.response_status)
|
||||||
|
self.assertEqual([FakeApp.FORBIDDEN], body)
|
||||||
|
|
||||||
|
def test_composite_auth_delay_no_user_token(self):
|
||||||
|
self.middleware._delay_auth_decision = True
|
||||||
|
self.purge_token_expected_env()
|
||||||
|
expected_env = {
|
||||||
|
'HTTP_X_IDENTITY_STATUS': 'Invalid',
|
||||||
|
}
|
||||||
|
self.update_expected_env(expected_env)
|
||||||
|
|
||||||
|
req = webob.Request.blank('/')
|
||||||
|
service_token = self.token_dict['uuid_service_token_default']
|
||||||
|
req.headers['X-Service-Token'] = service_token
|
||||||
|
body = self.middleware(req.environ, self.start_fake_response)
|
||||||
|
self.assertEqual(403, self.response_status)
|
||||||
|
self.assertEqual([FakeApp.FORBIDDEN], body)
|
||||||
|
|
||||||
|
|
||||||
|
class v2CompositeAuthTests(BaseAuthTokenMiddlewareTest,
|
||||||
|
CommonCompositeAuthTests,
|
||||||
|
testresources.ResourcedTestCase):
|
||||||
|
"""Test auth_token middleware with v2 token based composite auth.
|
||||||
|
|
||||||
|
Execute the Composite auth class tests, but with the
|
||||||
|
auth_token middleware configured to expect v2 tokens back from
|
||||||
|
a keystone server.
|
||||||
|
"""
|
||||||
|
|
||||||
|
resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)]
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(v2CompositeAuthTests, self).setUp(
|
||||||
|
expected_env=EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE,
|
||||||
|
fake_app=CompositeFakeApp)
|
||||||
|
|
||||||
|
uuid_token_default = self.examples.UUID_TOKEN_DEFAULT
|
||||||
|
uuid_service_token_default = self.examples.UUID_SERVICE_TOKEN_DEFAULT
|
||||||
|
self.token_dict = {
|
||||||
|
'uuid_token_default': uuid_token_default,
|
||||||
|
'uuid_service_token_default': uuid_service_token_default,
|
||||||
|
}
|
||||||
|
|
||||||
|
httpretty.reset()
|
||||||
|
httpretty.enable()
|
||||||
|
self.addCleanup(httpretty.disable)
|
||||||
|
|
||||||
|
httpretty.register_uri(httpretty.GET,
|
||||||
|
"%s/" % BASE_URI,
|
||||||
|
body=VERSION_LIST_v2,
|
||||||
|
status=300)
|
||||||
|
|
||||||
|
httpretty.register_uri(httpretty.POST,
|
||||||
|
"%s/v2.0/tokens" % BASE_URI,
|
||||||
|
body=FAKE_ADMIN_TOKEN)
|
||||||
|
|
||||||
|
httpretty.register_uri(httpretty.GET,
|
||||||
|
"%s/v2.0/tokens/revoked" % BASE_URI,
|
||||||
|
body=self.examples.SIGNED_REVOCATION_LIST,
|
||||||
|
status=200)
|
||||||
|
|
||||||
|
for token in (self.examples.UUID_TOKEN_DEFAULT,
|
||||||
|
self.examples.UUID_SERVICE_TOKEN_DEFAULT,):
|
||||||
|
httpretty.register_uri(httpretty.GET,
|
||||||
|
"%s/v2.0/tokens/%s" % (BASE_URI, token),
|
||||||
|
body=
|
||||||
|
self.examples.JSON_TOKEN_RESPONSES[token])
|
||||||
|
|
||||||
|
for invalid_uri in ("%s/v2.0/tokens/invalid-token" % BASE_URI,
|
||||||
|
"%s/v2.0/tokens/invalid-service-token" % BASE_URI):
|
||||||
|
httpretty.register_uri(httpretty.GET,
|
||||||
|
invalid_uri,
|
||||||
|
body="", status=404)
|
||||||
|
|
||||||
|
self.token_expected_env = dict(EXPECTED_V2_DEFAULT_ENV_RESPONSE)
|
||||||
|
self.service_token_expected_env = dict(
|
||||||
|
EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE)
|
||||||
|
self.set_middleware()
|
||||||
|
|
||||||
|
|
||||||
|
class v3CompositeAuthTests(BaseAuthTokenMiddlewareTest,
|
||||||
|
CommonCompositeAuthTests,
|
||||||
|
testresources.ResourcedTestCase):
|
||||||
|
"""Test auth_token middleware with v3 token based composite auth.
|
||||||
|
|
||||||
|
Execute the Composite auth class tests, but with the
|
||||||
|
auth_token middleware configured to expect v3 tokens back from
|
||||||
|
a keystone server.
|
||||||
|
"""
|
||||||
|
|
||||||
|
resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)]
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(v3CompositeAuthTests, self).setUp(
|
||||||
|
auth_version='v3.0',
|
||||||
|
fake_app=v3CompositeFakeApp)
|
||||||
|
|
||||||
|
uuid_token_default = self.examples.v3_UUID_TOKEN_DEFAULT
|
||||||
|
uuid_serv_token_default = self.examples.v3_UUID_SERVICE_TOKEN_DEFAULT
|
||||||
|
self.token_dict = {
|
||||||
|
'uuid_token_default': uuid_token_default,
|
||||||
|
'uuid_service_token_default': uuid_serv_token_default,
|
||||||
|
}
|
||||||
|
|
||||||
|
httpretty.reset()
|
||||||
|
httpretty.enable()
|
||||||
|
self.addCleanup(httpretty.disable)
|
||||||
|
|
||||||
|
httpretty.register_uri(httpretty.GET,
|
||||||
|
"%s" % BASE_URI,
|
||||||
|
body=VERSION_LIST_v3,
|
||||||
|
status=300)
|
||||||
|
|
||||||
|
# TODO(jamielennox): auth_token middleware uses a v2 admin token
|
||||||
|
# regardless of the auth_version that is set.
|
||||||
|
httpretty.register_uri(httpretty.POST,
|
||||||
|
"%s/v2.0/tokens" % BASE_URI,
|
||||||
|
body=FAKE_ADMIN_TOKEN)
|
||||||
|
|
||||||
|
# TODO(jamielennox): there is no v3 revocation url yet, it uses v2
|
||||||
|
httpretty.register_uri(httpretty.GET,
|
||||||
|
"%s/v2.0/tokens/revoked" % BASE_URI,
|
||||||
|
body=self.examples.SIGNED_REVOCATION_LIST,
|
||||||
|
status=200)
|
||||||
|
|
||||||
|
httpretty.register_uri(httpretty.GET,
|
||||||
|
"%s/v3/auth/tokens" % BASE_URI,
|
||||||
|
body=self.token_response)
|
||||||
|
|
||||||
|
self.token_expected_env = dict(EXPECTED_V2_DEFAULT_ENV_RESPONSE)
|
||||||
|
self.token_expected_env.update(EXPECTED_V3_DEFAULT_ENV_ADDITIONS)
|
||||||
|
self.service_token_expected_env = dict(
|
||||||
|
EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE)
|
||||||
|
self.service_token_expected_env.update(
|
||||||
|
EXPECTED_V3_DEFAULT_SERVICE_ENV_ADDITIONS)
|
||||||
|
self.set_middleware()
|
||||||
|
|
||||||
|
def token_response(self, request, uri, headers):
|
||||||
|
auth_id = request.headers.get('X-Auth-Token')
|
||||||
|
token_id = request.headers.get('X-Subject-Token')
|
||||||
|
self.assertEqual(auth_id, FAKE_ADMIN_TOKEN_ID)
|
||||||
|
headers.pop('status')
|
||||||
|
|
||||||
|
status = 200
|
||||||
|
response = ""
|
||||||
|
|
||||||
|
if token_id == ERROR_TOKEN:
|
||||||
|
raise auth_token.NetworkError("Network connection error.")
|
||||||
|
|
||||||
|
try:
|
||||||
|
response = self.examples.JSON_TOKEN_RESPONSES[token_id]
|
||||||
|
except KeyError:
|
||||||
|
status = 404
|
||||||
|
|
||||||
|
return status, headers, response
|
||||||
|
|
||||||
|
|
||||||
def load_tests(loader, tests, pattern):
|
def load_tests(loader, tests, pattern):
|
||||||
return testresources.OptimisingTestSuite(tests)
|
return testresources.OptimisingTestSuite(tests)
|
||||||
|
Loading…
Reference in New Issue
Block a user