Privatize Everything

Make s3_token and ec2_token middleware match auth_token and all
properties except the class itself are now private.

The memcache_crypt module is now private to the keystonemiddleware
package.

Change-Id: Id5103f4e9689bc2dbc6f79705030c903ae5cc406
This commit is contained in:
Morgan Fainberg 2014-07-01 17:27:31 -07:00
parent 8e626d5b77
commit 5556599b57
6 changed files with 74 additions and 73 deletions

View File

@ -162,7 +162,7 @@ from oslo.config import cfg
import six import six
from six.moves import urllib from six.moves import urllib
from keystonemiddleware import memcache_crypt from keystonemiddleware import _memcache_crypt as memcache_crypt
from keystonemiddleware.openstack.common import jsonutils from keystonemiddleware.openstack.common import jsonutils
from keystonemiddleware.openstack.common import memorycache from keystonemiddleware.openstack.common import memorycache
from keystonemiddleware.openstack.common import timeutils from keystonemiddleware.openstack.common import timeutils

View File

@ -53,7 +53,7 @@ class EC2Token(object):
def __init__(self, application): def __init__(self, application):
super(EC2Token, self).__init__() super(EC2Token, self).__init__()
self.application = application self._application = application
@webob.dec.wsgify() @webob.dec.wsgify()
def __call__(self, req): def __call__(self, req):
@ -112,7 +112,7 @@ class EC2Token(object):
# Authenticated! # Authenticated!
req.headers['X-Auth-Token'] = token_id req.headers['X-Auth-Token'] = token_id
return self.application return self._application
def filter_factory(global_conf, **local_conf): def filter_factory(global_conf, **local_conf):

View File

@ -45,15 +45,15 @@ PROTOCOL_NAME = 'S3 Token Authentication'
# TODO(kun): remove it after oslo merge this. # TODO(kun): remove it after oslo merge this.
def split_path(path, minsegs=1, maxsegs=None, rest_with_last=False): def _split_path(path, minsegs=1, maxsegs=None, rest_with_last=False):
"""Validate and split the given HTTP request path. """Validate and split the given HTTP request path.
**Examples**:: **Examples**::
['a'] = split_path('/a') ['a'] = _split_path('/a')
['a', None] = split_path('/a', 1, 2) ['a', None] = _split_path('/a', 1, 2)
['a', 'c'] = split_path('/a/c', 1, 2) ['a', 'c'] = _split_path('/a/c', 1, 2)
['a', 'c', 'o/r'] = split_path('/a/c/o/r', 1, 3, True) ['a', 'c', 'o/r'] = _split_path('/a/c/o/r', 1, 3, True)
:param path: HTTP Request path to be split :param path: HTTP Request path to be split
:param minsegs: Minimum number of segments to be extracted :param minsegs: Minimum number of segments to be extracted
@ -100,17 +100,18 @@ class S3Token(object):
def __init__(self, app, conf): def __init__(self, app, conf):
"""Common initialization code.""" """Common initialization code."""
self.app = app self._app = app
self.logger = logging.getLogger(conf.get('log_name', __name__)) self._logger = logging.getLogger(conf.get('log_name', __name__))
self.logger.debug('Starting the %s component', PROTOCOL_NAME) self._logger.debug('Starting the %s component', PROTOCOL_NAME)
self.reseller_prefix = conf.get('reseller_prefix', 'AUTH_') self._reseller_prefix = conf.get('reseller_prefix', 'AUTH_')
# where to find the auth service (we use this to validate tokens) # where to find the auth service (we use this to validate tokens)
auth_host = conf.get('auth_host') auth_host = conf.get('auth_host')
auth_port = int(conf.get('auth_port', 35357)) auth_port = int(conf.get('auth_port', 35357))
auth_protocol = conf.get('auth_protocol', 'https') auth_protocol = conf.get('auth_protocol', 'https')
self.request_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port) self._request_uri = '%s://%s:%s' % (auth_protocol, auth_host,
auth_port)
# SSL # SSL
insecure = conf.get('insecure', False) insecure = conf.get('insecure', False)
@ -118,15 +119,15 @@ class S3Token(object):
key_file = conf.get('keyfile') key_file = conf.get('keyfile')
if insecure: if insecure:
self.verify = False self._verify = False
elif cert_file and key_file: elif cert_file and key_file:
self.verify = (cert_file, key_file) self._verify = (cert_file, key_file)
elif cert_file: elif cert_file:
self.verify = cert_file self._verify = cert_file
else: else:
self.verify = None self._verify = None
def deny_request(self, code): def _deny_request(self, code):
error_table = { error_table = {
'AccessDenied': (401, 'Access denied'), 'AccessDenied': (401, 'Access denied'),
'InvalidURI': (400, 'Could not parse the specified URI'), 'InvalidURI': (400, 'Could not parse the specified URI'),
@ -145,18 +146,18 @@ class S3Token(object):
def _json_request(self, creds_json): def _json_request(self, creds_json):
headers = {'Content-Type': 'application/json'} headers = {'Content-Type': 'application/json'}
try: try:
response = requests.post('%s/v2.0/s3tokens' % self.request_uri, response = requests.post('%s/v2.0/s3tokens' % self._request_uri,
headers=headers, data=creds_json, headers=headers, data=creds_json,
verify=self.verify) verify=self._verify)
except requests.exceptions.RequestException as e: except requests.exceptions.RequestException as e:
self.logger.info('HTTP connection exception: %s', e) self._logger.info('HTTP connection exception: %s', e)
resp = self.deny_request('InvalidURI') resp = self._deny_request('InvalidURI')
raise ServiceError(resp) raise ServiceError(resp)
if response.status_code < 200 or response.status_code >= 300: if response.status_code < 200 or response.status_code >= 300:
self.logger.debug('Keystone reply error: status=%s reason=%s', self._logger.debug('Keystone reply error: status=%s reason=%s',
response.status_code, response.reason) response.status_code, response.reason)
resp = self.deny_request('AccessDenied') resp = self._deny_request('AccessDenied')
raise ServiceError(resp) raise ServiceError(resp)
return response return response
@ -164,36 +165,36 @@ class S3Token(object):
def __call__(self, environ, start_response): def __call__(self, environ, start_response):
"""Handle incoming request. authenticate and send downstream.""" """Handle incoming request. authenticate and send downstream."""
req = webob.Request(environ) req = webob.Request(environ)
self.logger.debug('Calling S3Token middleware.') self._logger.debug('Calling S3Token middleware.')
try: try:
parts = split_path(req.path, 1, 4, True) parts = _split_path(req.path, 1, 4, True)
version, account, container, obj = parts version, account, container, obj = parts
except ValueError: except ValueError:
msg = 'Not a path query, skipping.' msg = 'Not a path query, skipping.'
self.logger.debug(msg) self._logger.debug(msg)
return self.app(environ, start_response) return self._app(environ, start_response)
# Read request signature and access id. # Read request signature and access id.
if 'Authorization' not in req.headers: if 'Authorization' not in req.headers:
msg = 'No Authorization header. skipping.' msg = 'No Authorization header. skipping.'
self.logger.debug(msg) self._logger.debug(msg)
return self.app(environ, start_response) return self._app(environ, start_response)
token = req.headers.get('X-Auth-Token', token = req.headers.get('X-Auth-Token',
req.headers.get('X-Storage-Token')) req.headers.get('X-Storage-Token'))
if not token: if not token:
msg = 'You did not specify an auth or a storage token. skipping.' msg = 'You did not specify an auth or a storage token. skipping.'
self.logger.debug(msg) self._logger.debug(msg)
return self.app(environ, start_response) return self._app(environ, start_response)
auth_header = req.headers['Authorization'] auth_header = req.headers['Authorization']
try: try:
access, signature = auth_header.split(' ')[-1].rsplit(':', 1) access, signature = auth_header.split(' ')[-1].rsplit(':', 1)
except ValueError: except ValueError:
msg = 'You have an invalid Authorization header: %s' msg = 'You have an invalid Authorization header: %s'
self.logger.debug(msg, auth_header) self._logger.debug(msg, auth_header)
return self.deny_request('InvalidURI')(environ, start_response) return self._deny_request('InvalidURI')(environ, start_response)
# NOTE(chmou): This is to handle the special case with nova # NOTE(chmou): This is to handle the special case with nova
# when we have the option s3_affix_tenant. We will force it to # when we have the option s3_affix_tenant. We will force it to
@ -215,7 +216,7 @@ class S3Token(object):
'token': token, 'token': token,
'signature': signature}} 'signature': signature}}
creds_json = jsonutils.dumps(creds) creds_json = jsonutils.dumps(creds)
self.logger.debug('Connecting to Keystone sending this JSON: %s', self._logger.debug('Connecting to Keystone sending this JSON: %s',
creds_json) creds_json)
# NOTE(vish): We could save a call to keystone by having # NOTE(vish): We could save a call to keystone by having
# keystone return token, tenant, user, and roles # keystone return token, tenant, user, and roles
@ -230,10 +231,10 @@ class S3Token(object):
except ServiceError as e: except ServiceError as e:
resp = e.args[0] resp = e.args[0]
msg = 'Received error, exiting middleware with error: %s' msg = 'Received error, exiting middleware with error: %s'
self.logger.debug(msg, resp.status_code) self._logger.debug(msg, resp.status_code)
return resp(environ, start_response) return resp(environ, start_response)
self.logger.debug('Keystone Reply: Status: %d, Output: %s', self._logger.debug('Keystone Reply: Status: %d, Output: %s',
resp.status_code, resp.content) resp.status_code, resp.content)
try: try:
@ -242,16 +243,16 @@ class S3Token(object):
tenant = identity_info['access']['token']['tenant'] tenant = identity_info['access']['token']['tenant']
except (ValueError, KeyError): except (ValueError, KeyError):
error = 'Error on keystone reply: %d %s' error = 'Error on keystone reply: %d %s'
self.logger.debug(error, resp.status_code, resp.content) self._logger.debug(error, resp.status_code, resp.content)
return self.deny_request('InvalidURI')(environ, start_response) return self._deny_request('InvalidURI')(environ, start_response)
req.headers['X-Auth-Token'] = token_id req.headers['X-Auth-Token'] = token_id
tenant_to_connect = force_tenant or tenant['id'] tenant_to_connect = force_tenant or tenant['id']
self.logger.debug('Connecting with tenant: %s', tenant_to_connect) self._logger.debug('Connecting with tenant: %s', tenant_to_connect)
new_tenant_name = '%s%s' % (self.reseller_prefix, tenant_to_connect) new_tenant_name = '%s%s' % (self._reseller_prefix, tenant_to_connect)
environ['PATH_INFO'] = environ['PATH_INFO'].replace(account, environ['PATH_INFO'] = environ['PATH_INFO'].replace(account,
new_tenant_name) new_tenant_name)
return self.app(environ, start_response) return self._app(environ, start_response)
def filter_factory(global_conf, **local_conf): def filter_factory(global_conf, **local_conf):

View File

@ -13,7 +13,7 @@
import six import six
import testtools import testtools
from keystonemiddleware import memcache_crypt from keystonemiddleware import _memcache_crypt as memcache_crypt
class MemcacheCryptPositiveTests(testtools.TestCase): class MemcacheCryptPositiveTests(testtools.TestCase):

View File

@ -158,7 +158,7 @@ class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
req.headers['Authorization'] = 'access:signature' req.headers['Authorization'] = 'access:signature'
req.headers['X-Storage-Token'] = 'token' req.headers['X-Storage-Token'] = 'token'
resp = req.get_response(self.middleware) resp = req.get_response(self.middleware)
s3_denied_req = self.middleware.deny_request('AccessDenied') s3_denied_req = self.middleware._deny_request('AccessDenied')
self.assertEqual(resp.body, s3_denied_req.body) self.assertEqual(resp.body, s3_denied_req.body)
self.assertEqual(resp.status_int, s3_denied_req.status_int) self.assertEqual(resp.status_int, s3_denied_req.status_int)
@ -168,13 +168,13 @@ class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
req.headers['X-Storage-Token'] = 'token' req.headers['X-Storage-Token'] = 'token'
resp = req.get_response(self.middleware) resp = req.get_response(self.middleware)
self.assertEqual(resp.status_int, 400) self.assertEqual(resp.status_int, 400)
s3_invalid_req = self.middleware.deny_request('InvalidURI') s3_invalid_req = self.middleware._deny_request('InvalidURI')
self.assertEqual(resp.body, s3_invalid_req.body) self.assertEqual(resp.body, s3_invalid_req.body)
self.assertEqual(resp.status_int, s3_invalid_req.status_int) self.assertEqual(resp.status_int, s3_invalid_req.status_int)
def test_fail_to_connect_to_keystone(self): def test_fail_to_connect_to_keystone(self):
with mock.patch.object(self.middleware, '_json_request') as o: with mock.patch.object(self.middleware, '_json_request') as o:
s3_invalid_req = self.middleware.deny_request('InvalidURI') s3_invalid_req = self.middleware._deny_request('InvalidURI')
o.side_effect = s3_token.ServiceError(s3_invalid_req) o.side_effect = s3_token.ServiceError(s3_invalid_req)
req = webob.Request.blank('/v1/AUTH_cfa/c/o') req = webob.Request.blank('/v1/AUTH_cfa/c/o')
@ -192,45 +192,45 @@ class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
req.headers['Authorization'] = 'access:signature' req.headers['Authorization'] = 'access:signature'
req.headers['X-Storage-Token'] = 'token' req.headers['X-Storage-Token'] = 'token'
resp = req.get_response(self.middleware) resp = req.get_response(self.middleware)
s3_invalid_req = self.middleware.deny_request('InvalidURI') s3_invalid_req = self.middleware._deny_request('InvalidURI')
self.assertEqual(resp.body, s3_invalid_req.body) self.assertEqual(resp.body, s3_invalid_req.body)
self.assertEqual(resp.status_int, s3_invalid_req.status_int) self.assertEqual(resp.status_int, s3_invalid_req.status_int)
class S3TokenMiddlewareTestUtil(testtools.TestCase): class S3TokenMiddlewareTestUtil(testtools.TestCase):
def test_split_path_failed(self): def test_split_path_failed(self):
self.assertRaises(ValueError, s3_token.split_path, '') self.assertRaises(ValueError, s3_token._split_path, '')
self.assertRaises(ValueError, s3_token.split_path, '/') self.assertRaises(ValueError, s3_token._split_path, '/')
self.assertRaises(ValueError, s3_token.split_path, '//') self.assertRaises(ValueError, s3_token._split_path, '//')
self.assertRaises(ValueError, s3_token.split_path, '//a') self.assertRaises(ValueError, s3_token._split_path, '//a')
self.assertRaises(ValueError, s3_token.split_path, '/a/c') self.assertRaises(ValueError, s3_token._split_path, '/a/c')
self.assertRaises(ValueError, s3_token.split_path, '//c') self.assertRaises(ValueError, s3_token._split_path, '//c')
self.assertRaises(ValueError, s3_token.split_path, '/a/c/') self.assertRaises(ValueError, s3_token._split_path, '/a/c/')
self.assertRaises(ValueError, s3_token.split_path, '/a//') self.assertRaises(ValueError, s3_token._split_path, '/a//')
self.assertRaises(ValueError, s3_token.split_path, '/a', 2) self.assertRaises(ValueError, s3_token._split_path, '/a', 2)
self.assertRaises(ValueError, s3_token.split_path, '/a', 2, 3) self.assertRaises(ValueError, s3_token._split_path, '/a', 2, 3)
self.assertRaises(ValueError, s3_token.split_path, '/a', 2, 3, True) self.assertRaises(ValueError, s3_token._split_path, '/a', 2, 3, True)
self.assertRaises(ValueError, s3_token.split_path, '/a/c/o/r', 3, 3) self.assertRaises(ValueError, s3_token._split_path, '/a/c/o/r', 3, 3)
self.assertRaises(ValueError, s3_token.split_path, '/a', 5, 4) self.assertRaises(ValueError, s3_token._split_path, '/a', 5, 4)
def test_split_path_success(self): def test_split_path_success(self):
self.assertEqual(s3_token.split_path('/a'), ['a']) self.assertEqual(s3_token._split_path('/a'), ['a'])
self.assertEqual(s3_token.split_path('/a/'), ['a']) self.assertEqual(s3_token._split_path('/a/'), ['a'])
self.assertEqual(s3_token.split_path('/a/c', 2), ['a', 'c']) self.assertEqual(s3_token._split_path('/a/c', 2), ['a', 'c'])
self.assertEqual(s3_token.split_path('/a/c/o', 3), ['a', 'c', 'o']) self.assertEqual(s3_token._split_path('/a/c/o', 3), ['a', 'c', 'o'])
self.assertEqual(s3_token.split_path('/a/c/o/r', 3, 3, True), self.assertEqual(s3_token._split_path('/a/c/o/r', 3, 3, True),
['a', 'c', 'o/r']) ['a', 'c', 'o/r'])
self.assertEqual(s3_token.split_path('/a/c', 2, 3, True), self.assertEqual(s3_token._split_path('/a/c', 2, 3, True),
['a', 'c', None]) ['a', 'c', None])
self.assertEqual(s3_token.split_path('/a/c/', 2), ['a', 'c']) self.assertEqual(s3_token._split_path('/a/c/', 2), ['a', 'c'])
self.assertEqual(s3_token.split_path('/a/c/', 2, 3), ['a', 'c', '']) self.assertEqual(s3_token._split_path('/a/c/', 2, 3), ['a', 'c', ''])
def test_split_path_invalid_path(self): def test_split_path_invalid_path(self):
try: try:
s3_token.split_path('o\nn e', 2) s3_token._split_path('o\nn e', 2)
except ValueError as err: except ValueError as err:
self.assertEqual(str(err), 'Invalid path: o%0An%20e') self.assertEqual(str(err), 'Invalid path: o%0An%20e')
try: try:
s3_token.split_path('o\nn e', 2, 3, True) s3_token._split_path('o\nn e', 2, 3, True)
except ValueError as err: except ValueError as err:
self.assertEqual(str(err), 'Invalid path: o%0An%20e') self.assertEqual(str(err), 'Invalid path: o%0An%20e')