From c4335169fd823e54a7c3ef11ab862ed0240e8b58 Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Mon, 27 Oct 2014 09:30:53 +0100 Subject: [PATCH] Use new ksc features in User Token Plugin When the user token plugin was created some problems were noticed. Firstly the way the auth_ref was being constructed meant that it would try and retrieve the token from the body of the message which wouldn't work for v3 or PKI tokens. To overcome this we stored the token data in the plugin and added the ability to override the token data in the auth_ref. Secondly that there was no way to signal that this plugin couldn't be reauthenticated and it would therefore retry unauthenticated requests that we knew wouldn't work. Both of these issues were addressed in keystoneclient and they should be updated to work correctly in auth_token middleware. Change-Id: Ib1c772e55f7c7b622d0c2a55d87d77d2dc30d4bb --- keystonemiddleware/auth_token.py | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/keystonemiddleware/auth_token.py b/keystonemiddleware/auth_token.py index cbb5c635..2a7d3682 100644 --- a/keystonemiddleware/auth_token.py +++ b/keystonemiddleware/auth_token.py @@ -551,24 +551,14 @@ class _UserAuthPlugin(base_identity.BaseIdentityPlugin): authentication plugin when communicating via a session. """ - def __init__(self, user_token, auth_ref): - # FIXME(jamielennox): set reauthenticate=False here when keystoneclient - # 0.11 is released to prevent trying to refetch authentication. - super(_UserAuthPlugin, self).__init__() - self._user_token = user_token + def __init__(self, auth_ref): + super(_UserAuthPlugin, self).__init__(reauthenticate=False) self._stored_auth_ref = auth_ref - def get_token(self, session, **kwargs): - # NOTE(jamielennox): This is needed partially because the AccessInfo - # factory is so bad that we don't always get the correct token data. - # Override and always return the token that was provided in the req. - return self._user_token - def get_auth_ref(self, session, **kwargs): - # NOTE(jamielennox): We can't go out and fetch this auth_ref, we've - # got it already so always return it. In the event it tries to - # re-authenticate it will get the same old auth_ref which is not - # perfect, but the best we can do for now. + # NOTE(jamielennox): We will always use the auth_ref that was + # calculated by the middleware. reauthenticate=False in __init__ should + # ensure that this function is only called on the first access. return self._stored_auth_ref @@ -702,10 +692,10 @@ class AuthProtocol(object): self._LOG.debug('Authenticating user token') user_token = self._get_user_token_from_header(env) token_info = self._validate_token(user_token, env) - auth_ref = access.AccessInfo.factory(body=token_info) + auth_ref = access.AccessInfo.factory(body=token_info, + auth_token=user_token) env['keystone.token_info'] = token_info - env['keystone.token_auth'] = _UserAuthPlugin( - user_token, auth_ref) + env['keystone.token_auth'] = _UserAuthPlugin(auth_ref) user_headers = self._build_user_headers(auth_ref, token_info) self._add_headers(env, user_headers) except InvalidToken: